CVE-2018-1274

Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption).

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:N/A:P

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
http://www.securityfocus.com/bid/103769	Third Party Advisory VDB Entry
https://pivotal.io/security/cve-2018-1274	Vendor Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
http://www.securityfocus.com/bid/103769	Third Party Advisory VDB Entry
https://pivotal.io/security/cve-2018-1274	Vendor Advisory
https://www.oracle.com/security-alerts/cpujul2022.html

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:pivotal_software:spring_data_commons::::::::
	cpe:2.3:a:pivotal_software:spring_data_commons::::::::

Configuration 2 (hide)

OR	cpe:2.3:a:pivotal_software:spring_data_rest::::::::
	cpe:2.3:a:pivotal_software:spring_data_rest::::::::

History

21 Nov 2024, 03:59

Type	Values Removed	Values Added
References	~~() http://www.securityfocus.com/bid/103769 - Third Party Advisory, VDB Entry~~	() http://www.securityfocus.com/bid/103769 - Third Party Advisory, VDB Entry
References	~~() https://pivotal.io/security/cve-2018-1274 - Vendor Advisory~~	() https://pivotal.io/security/cve-2018-1274 - Vendor Advisory
References	~~() https://www.oracle.com/security-alerts/cpujul2022.html -~~	() https://www.oracle.com/security-alerts/cpujul2022.html -

25 Jul 2022, 18:15

Type	Values Removed	Values Added
References		(N/A) https://www.oracle.com/security-alerts/cpujul2022.html -

Information

Published : 2018-04-18 16:29

Updated : 2024-11-21 03:59

NVD link : CVE-2018-1274

Mitre link : CVE-2018-1274

CVE.ORG link : CVE-2018-1274

JSON object : View

Products Affected

pivotal_software

spring_data_commons
spring_data_rest

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

JSON object

Attach tags to CVE-2018-1274

7.5^/10

5.0^/10

Attach tags to `CVE-2018-1274`